check point. Chii icho, chii chinodyiwa nacho, kana muchidimbu pamusoro pechinhu chikuru

Mhoroi, vaverengi vanodiwa veHabr! Iri ibhuku rekambani rekambani TS Solution. Isu tiri musanganisi wehurongwa uye tinonyanya hunyanzvi muIT zvigadziriso zvekuchengetedza zvigadziriso (Check Point, Fortinet) uye masisitimu ekuongorora data yemuchina (Yakashata) Tichatanga bhurogi redu nekapfupi sumo yeCheck Point tekinoroji.

Takafunga kwenguva yakareba nezvekuti zvaive zvakakosha here kunyora chinyorwa ichi, nekuti ... hapana chitsva mairi chaisagona kuwanikwa paInternet. Zvisinei, pasinei nehuwandu hwemashoko akadaro, patinenge tichishanda nevatengi uye vashandi, isu tinowanzonzwa mibvunzo yakafanana. Naizvozvo, zvakasarudzwa kunyora imwe mhando yekusuma kune iyo nyika yeCheck Point matekinoroji uye kuburitsa hunhu hwekuvaka kwemhinduro dzavo. Uye izvi zvese zviri mukati mehurongwa hweimwe "diki" positi, kukurumidza rwendo, sekutaura. Uyezve, isu tichaedza kusapinda muhondo dzekushambadzira, nekuti ... Isu hatisi mutengesi, ingori sisitimu yekubatanidza (kunyangwe isu tichida chaizvo Check Point) uye tichangotarisa mapoinzi makuru tisingaaenzanise nevamwe vanogadzira (sePalo Alto, Cisco, Fortinet, nezvimwewo). Chinyorwa chacho chakazoita chakareba, asi chinovhara yakawanda yemibvunzo padanho rekujairana neCheck Point. Kana uchifarira, wobva wagamuchirwa kune katsi...

UTM/NGFW

Paunenge uchitanga nhaurirano nezve Check Point, pekutanga pekutanga iine tsananguro yekuti UTM neNGFW chii uye kuti dzakasiyana sei. Tichaita izvi muchidimbu kuitira kuti positi isaite kureba (zvichida mune ramangwana tichaona nyaya iyi mune zvishoma zvakadzama)

UTM - Yakabatana Threat Management

Muchidimbu, musimboti weUTM ndiko kubatanidzwa kwematurusi akati wandei ekuchengetedza mune imwe mhinduro. Avo. zvese mubhokisi rimwechete kana imwe mhando yezvose zvinosanganisirwa. Chii chinorehwa ne“mishonga yakawanda”? Sarudzo yakajairika ndeye: Firewall, IPS, Proxy (URL kusefa), kutenderera Antivirus, Anti-Spam, VPN zvichingodaro. Zvose izvi zvinosanganiswa mukati meimwe sarudzo yeUTM, iyo iri nyore maererano nekubatanidza, kugadzirisa, kutonga uye kutarisa, uye izvi zvinova nemigumisiro yakanaka pakuchengetedzwa kwese kwetiweki. Pakatanga kuoneka mhinduro dzeUTM, dzaionekwa sedzemakambani madiki chete, nekuti... MaUTM aisakwanisa kubata mavhoriyamu makuru emotokari. Izvi zvaive nezvikonzero zviviri:

1. Packet processing nzira. Shanduro dzekutanga dzeUTM mhinduro dzakagadziriswa mapaketi zvakatevedzana, imwe neimwe "module". Muenzaniso: kutanga pakiti inogadziriswa nefirewall, ipapo IPS, zvino inoongororwa neAnti-Virus, zvichingodaro. Nomuzvarirwo, nzira yakadaro yakaunza kunonoka kwakakomba mumotokari uye yakashandisa zvakanyanya system zviwanikwa (processor, memory).
2. Hardware isina simba. Sezvambotaurwa pamusoro apa, sequential kugadzirisa emapaketi zvakanyanya kudyiwa zviwanikwa uye Hardware yenguva idzodzo (1995-2005) yaingotadza kubata netraffic yakakura.

Asi kufambira mberi hakumire. Kubva ipapo, huwandu hwehardware hwakawedzera zvakanyanya, uye kugadzirwa kwepakeji kwakachinja (inofanira kubvumwa kuti havasi vese vatengesi vanayo) uye vakatanga kubvumira kuongororwa kwakafanana panguva imwe chete mumamodule akati wandei kamwechete (ME, IPS, AntiVirus, nezvimwewo). Mazuva ano UTM mhinduro dzinogona "kugaya" makumi uye kunyange mazana egigabits mune yakadzika maitiro ekuongorora, izvo zvinoita kuti zvikwanise kuzvishandisa muchikamu chemabhizimisi makuru kana kunyange nzvimbo dze data.

Pazasi pane inozivikanwa Gartner Magic Quadrant yeUTM mhinduro dzeNyamavhuvhu 2016:

Ini handisi kuzotaura zvakawanda pamufananidzo uyu, ndinongotaura kuti vatungamiriri vari mukona yekurudyi.

NGFW - Inotevera Generation Firewall

Zita rinozvitaurira - chizvarwa chinotevera firewall. Iyi pfungwa yakaonekwa gare gare kupfuura UTM. Pfungwa huru ye NGFW yakadzika packet ongororo (DPI) uchishandisa yakavakirwa-mukati IPS uye yekuwana kutonga padanho rekushandisa (Kudzora Kwekushandisa). Muchiitiko ichi, IPS ndiyo chaiyo inodiwa kuti uone ichi kana icho chishandiso murukova rwepaketi, iyo inobvumidza iwe kubvumidza kana kuiramba. Muenzaniso: Tinogona kubvumira Skype kushanda, asi kurambidza kufambisa faira. Tinogona kurambidza kushandiswa kweTorrent kana RDP. Zvishandiso zveWebhu zvinotsigirwawo: Unogona kubvumidza kupinda kuVK.com, asi rambidza mitambo, mameseji kana kuona mavhidhiyo. Chaizvoizvo, kunaka kweNGFW kunoenderana nehuwandu hwemashandisirwo aanogona kuona. Vazhinji vanotenda kuti kubuda kweiyo NGFW pfungwa yaive yakajairwa kushambadzira dhizaini pakatarisana nekumashure iyo kambani yePalo Alto yakatanga kukura kwayo nekukurumidza.

Gartner Magic Quadrant yeNGFW yaMay 2016:

UTM vs NGFW

Mubvunzo wakajairika ndewekuti, ndezvipi zviri nani? Hapana mhinduro chaiyo pano uye haigone kuva. Kunyanya tichifunga nezve chokwadi chekuti anenge ese emazuvano eUTM mhinduro ane NGFW mashandiro uye mazhinji maNGFW ane mabasa anowanikwa kuUTM (Antivirus, VPN, Anti-Bot, nezvimwewo). Sezvenguva dzose, "dhiyabhorosi ari mune zvakadzama," saka chekutanga pane zvese iwe unofanirwa kusarudza zvaunoda chaizvo uye sarudza bhajeti yako. Zvichienderana nesarudzo idzi, sarudzo dzinoverengeka dzinogona kusarudzwa. Uye zvese zvinoda kuyedzwa zvisina kujeka, pasina kutenda zvekushambadzira zvinhu.

Isu, muchimiro chezvinyorwa zvakawanda, tichaedza kutaurira nezve Check Point, kuti ungaiedza sei uye chii, mumutemo, iwe unogona kuedza (inenge yese inoshanda).

Three Check Point Entities

Paunenge uchishanda neCheck Point, iwe zvechokwadi uchasangana nezvikamu zvitatu zvechigadzirwa ichi:

1. Chengetedzo Gedhi (SG) - gedhi redziviriro pachayo, iro rinowanzo kuisirwa pane network perimeter uye inoita mabasa efirewall, kutenderera antivirus, antibot, IPS, nezvimwe.
2. Chengetedzo Management Server (SMS) - gedhi manejimendi server. Anenge ese magadzirirwo pagedhi (SG) anoitwa uchishandisa iyi sevha. SMS inogonawo kuita seLog Server uye kuigadzirisa neyakavakwa-mukati chiitiko kuongorora uye correlation system - Smart Chiitiko (yakafanana neSIEM yeCheck Point), asi zvimwe pane izvo gare gare. SMS inoshandiswa kune yepakati manejimendi yemagedhi akati wandei (huwandu hwemagedhi zvinoenderana neSMS modhi kana rezinesi), asi iwe unofanirwa kuishandisa kunyangwe uine gedhi rimwe chete. Zvinofanira kucherechedzwa pano kuti Check Point yaive imwe yekutanga kushandisa iyo centralized manejimendi system, iyo yakazivikanwa se "yegoridhe mwero" maererano nemishumo yaGartner kwemakore akawanda akateedzana. Pane kunyange jee: "Dai Cisco yaive neyakajairika manejimendi system, saka Check Point ingadai isina kumboonekwa."
3. Smart Console - mutengi koni yekubatanidza kune manejimendi server (SMS). Kazhinji yakaiswa pakombuta yemutungamiriri. Shanduko dzese pane manejimendi server dzinoitwa kuburikidza neiyi koni, uye mushure meizvozvo iwe unogona kuisa marongero kune ekuchengetedza magedhi (Isa Policy).

   

Tarisa Point Operating System

Kutaura nezve Cheki Point inoshanda sisitimu, tinogona kuyeuka matatu kamwechete: IPSO, SPLAT uye GAIA.

1. IPSO - inoshanda sisitimu yeIpsilon Networks, yaive yeNokia. Muna 2009, Check Point yakatenga bhizinesi iri. Haisisiri kusimukira.
2. SPLAT - Tarisa Point yekuvandudza kwayo, yakavakirwa paRedHat kernel. Haisisiri kusimukira.
3. Gaia - ikozvino inoshanda sisitimu kubva kuCheck Point, iyo yakaonekwa semhedzisiro yekubatanidzwa kweIPSO neSPLAT, ichibatanidza zvese zvakanakisa. Yakaonekwa muna 2012 uye inoramba ichishingaira kukura.

Kutaura nezveGaia, zvinofanirwa kutaurwa kuti panguva ino iyo yakajairika shanduro ndeye R77.30. Munguva pfupi yapfuura, iyo R80 vhezheni yakaonekwa, iyo inosiyana zvakanyanya kubva kune yapfuura (zvese zviri zviviri maererano nekushanda uye kutonga). Isu tinozopa yakaparadzana positi kune iyo nyaya yekusiyana kwavo. Imwe pfungwa yakakosha ndeyekuti parizvino vhezheni R77.10 chete ine chitupa cheFSTEC, uye vhezheni R77.30 iri kusimbiswa.

Sarudzo dzekuita (Tarisa Nzvimbo Yekushandisa, Virtual muchina, OpenServer)

Hapana chinoshamisa pano, sevatengesi vazhinji, Check Point ine akati wandei zvigadzirwa sarudzo:

1. mudziyo - Hardware uye software mudziyo, i.e. "chidimbu chesimbi" chayo. Kune akawanda mamodheru anosiyana mukuita, kushanda uye dhizaini (kune sarudzo dzemaindasitiri network).

   

2. Virtual Machine - Tarisa Point chaiyo muchina neGaia OS. Hypervisors ESXi, Hyper-V, KVM inotsigirwa. Inopihwa rezenisi nehuwandu hwema processor cores.
3. OpenServer - kuisa Gaia zvakananga pane sevha seyo huru yekushandisa system (iyo inonzi "Bare metal"). Chete hardware ndiyo inotsigirwa. Pane kurudziro yeiyi Hardware inofanirwa kuteverwa, zvikasadaro matambudziko nevatyairi uye michina yehunyanzvi inogona kumuka. rutsigiro runogona kuramba kukushandira.

Sarudzo dzekuita (Yakagoverwa kana yakamira)

Kumusoro zvishoma isu tatokurukura kuti gedhi (SG) uye manejimendi server (SMS) chii. Zvino ngatikurukurei zvingasarudzwa zvekushandiswa kwavo. Pane nzira mbiri huru:

1. Yakazvimirira (SG+SMS) -Sarudzo kana ese gedhi uye manejimendi server akaiswa mukati memudziyo mumwe (kana chaiwo muchina).

   
   
   Iyi sarudzo yakakodzera kana iwe uine gedhi rimwe chete iro rakaremerwa rakaremerwa nemushandisi traffic. Iyi sarudzo ndiyo yakanyanya hupfumi, nekuti ... hapana chikonzero chekutenga manejimendi server (SMS). Nekudaro, kana gedhi rakaremerwa zvakanyanya, unogona kupedzisira uine "slow" control system. Naizvozvo, usati wasarudza Standalone mhinduro, zviri nani kubvunza kana kunyange kuedza iyi sarudzo.

2. Yakaparadzirwa - sevha yekutarisira inoiswa zvakasiyana kubva gedhi.

   
   
   Iyo yakanakisa sarudzo maererano nekureruka uye kuita. Inoshandiswa pazvinenge zvichidikanwa kubata magedhi akati wandei kamwechete, semuenzaniso wepakati uye webazi. Muchiitiko ichi, iwe unofanirwa kutenga manejimendi server (SMS), iyo inogona zvakare kunge iri muchimiro chemudziyo kana muchina chaiwo.

Sezvandambotaura pamusoro, Check Point ine yayo SIEM system - Smart Chiitiko. Unogona kuishandisa chete kana iri Distributed installation.

Operating modes (Bridge, Routed)
Iyo Chengetedzo Gateway (SG) inogona kushanda mune mbiri nzira huru:

• Routed - iyo yakajairika sarudzo. Muchiitiko ichi, gedhi rinoshandiswa sechinhu cheL3 uye nzira dzemigwagwa kuburikidza pachayo, i.e. Check Point ndiyo yakasarudzika gedhi retiweki yakachengetedzwa.
• zambuko - transparent mode. Muchiitiko ichi, gedhi rinoiswa se "bhiriji" renguva dzose uye rinopfuura nemugwagwa pachikamu chechipiri (OSI). Iyi sarudzo inowanzo shandiswa kana pasina mukana (kana chido) chekushandura hupfumi huripo. Iwe haufanirwe kushandura iyo network topology uye haufanirwe kufunga nezve kuchinja IP kero.

Ndinoda kuziva kuti muBridge mode pane zvimwe zvisingakwanisi maererano nekushanda, saka isu, semusanganisi, tinorayira vatengi vedu vose kushandisa Routed mode, hongu, kana zvichibvira.

Tarisa Point Software Blades

Takapotsa tasvika pane yakakosha musoro weCheck Point, iyo inomutsa mibvunzo yakawanda pakati pevatengi. Chii ichi "software blades"? Mablades anoreva mamwe mabasa eCheck Point.

Aya mabasa anogona kubatidzwa kana kudzimwa zvichienderana nezvaunoda. Panguva imwecheteyo, kune mablades anobatidzwa chete pamusuwo (Network Security) uye chete pane manejimendi server. Mifananidzo iri pasi apa inoratidza mienzaniso yezviitiko zviviri izvi:

1) Kune Network Security (gedhi kushanda)

Ngatizvitsanangure muchidimbu, nekuti... blade imwe neimwe inokodzera chinyorwa chayo.

• Firewall - firewall kushanda;
• IPSec VPN - kuvaka yakavanzika virtual network;
• Mobile Access - kure kure kubva kune nharembozha;
• IPS - intrusion kudzivirira system;
• Anti-Bot - kuchengetedzwa kubva kune botnet network;
• Antivirus - kutenderera antivirus;
• AntiSpam & Email Chengetedzo - kuchengetedzwa kwekambani email;
• Identity Awareness - kubatanidzwa ne Active Directory service;
• Monitoring - yekutarisa kweanenge ese gedhi paramita (mutoro, bandwidth, VPN chimiro, nezvimwewo)
• Kudzora Kwekushandisa - application level firewall (NGFW mashandiro);
• URL Kusefa - Webhu chengetedzo (+ proxy mashandiro);
• Kudzivirirwa kweData Loss Prevention - dziviriro kubva pakudonha kweruzivo (DLP);
• Kutyisidzira Emulation - sandbox tekinoroji (SandBox);
• Kutyisidzira Kubvisa - tekinoroji yekuchenesa faira;
• QoS - kukoshesa traffic.

Muzvinyorwa zvishoma isu tichatarisa zvakadzama nezve Threat Emulation uye Threat Extraction blades, ndine chokwadi chekuti ichave inonakidza.

2) For Management (kudzora server kushanda)

• Network Policy Management - centralized policy management;
• Endpoint Policy Management - yepakati manejimendi yeCheck Point agents (hongu, Check Point inoburitsa mhinduro kwete chete yekudzivirira network, asiwo yekudzivirira nzvimbo dzekushandira (PC) uye mafoni);
• Kutema & Status - yepakati kuunganidza uye kugadzirisa matanda;
• Management Portal - kuchengetedza manejimendi kubva kubrowser;
• Kufambiswa kwebasa - kutonga pamusoro pekuchinja kwemitemo, kuongororwa kwekuchinja, nezvimwe;
• User Directory - kubatanidzwa neLDAP;
• Kugovera - otomatiki yegedhi manejimendi;
• Smart Reporter - yekuzivisa system;
• Smart Chiitiko - kuongorora uye kuwirirana kwezviitiko (SIEM);
• Kuteerera - inotarisa otomatiki marongero uye inoita kurudziro.

Isu hatizotarise nyaya dzerezenisi zvakadzama izvozvi, kuitira kuti tisavhure chinyorwa uye kwete kuvhiringa muverengi. Zvingangodaro isu tichaisa izvi mune yakaparadzana positi.

Iyo yekuvakisa yemablades inobvumidza iwe kushandisa chete mabasa aunoda chaizvo, ayo anokanganisa bhajeti remhinduro uye kushanda kwese kwechigadzirwa. Zvine musoro kuti mablades akawanda aunomisikidza, ishoma traffic iwe yaunogona "kutyaira nepakati". Ndosaka tafura yekuita inotevera yakasungirirwa kune yega yega Check Point modhi (takatora maitiro eiyo 5400 modhi semuenzaniso):

Sezvauri kuona, pane maviri mapoka ebvunzo pano: pane yekugadzira traffic uye pane chaiyo traffic - yakasanganiswa. Kazhinji kutaura, Check Point inongomanikidzwa kuburitsa bvunzo dzekugadzira, nekuti... vamwe vatengesi vanoshandisa miedzo yakadai semabhenji, pasina kuongorora kushanda kwezvigadziriso zvavo pamotokari chaiyo (kana kuvanza nemaune data yakadaro nekuda kwechimiro chavo chisingafadzi).

Mumhando yega yega yebvunzo, unogona kuona akati wandei sarudzo:

1. bvunzo chete yeFirewall;
2. Firewall + IPS bvunzo;
3. Firewall + IPS + NGFW (Application control) bvunzo;
4. edza Firewall+Application Control+URL Kusefa+IPS+Antivirus+Anti-Bot+SandBlast (sandbox)

Nyatsotarisa ma parameter aya pakusarudza mhinduro yako, kana kuonana consultation.

Ini ndinofunga apa ndipo patinokwanisa kupedzisa chinyorwa chekutanga cheCheck Point tekinoroji. Tevere, isu tichatarisa kuti iwe unogona sei kuyedza Check Point uye maitiro ekuita neazvino ruzivo rwekuchengetedza ruzivo (hutachiona, phishing, ransomware, zero-zuva).

PS Chinhu chakakosha. Pasinei nekwakabva kune dzimwe nyika (Israel), mhinduro yacho inosimbiswa muRussian Federation nevakuru vehurumende, iyo inobvumira kuvapo kwayo mumasangano ehurumende. Denyemall).

Vashandisi vakanyoresa chete ndivo vanogona kutora chikamu muongororo. Nyorera mu, Munogamuchirwa.

Ndeapi maturusi eUTM/NGFW aunoshandisa?

• Check Point

• Cisco Firepower

• Fortinet

• Palo Alto

• Sophos

• Dell SonicWALL

• Huawei

• WatchGuard

• Juniper

• UserGate

• Traffic inspector

• Rubicon

• Ideco

• OpenSource mhinduro

• Zvimwe

134 vashandisi vakavhota. 78 vashandisi vakaramba.

Source: www.habr.com